WebID in progress (host white list, more checks,...)
This commit is contained in:
parent
14937b1585
commit
8873d7ee23
@ -12,15 +12,19 @@ package Lemonldap::NG::Portal::AuthWebID;
|
|||||||
use strict;
|
use strict;
|
||||||
use Lemonldap::NG::Portal::Simple;
|
use Lemonldap::NG::Portal::Simple;
|
||||||
use Lemonldap::NG::Portal::AuthSSL;
|
use Lemonldap::NG::Portal::AuthSSL;
|
||||||
|
use Lemonldap::NG::Common::Regexp;
|
||||||
|
use Regexp::Assemble;
|
||||||
|
|
||||||
our $VERSION = '1.3.0';
|
our $VERSION = '1.3.0';
|
||||||
our @ISA = qw(Lemonldap::NG::Portal::AuthSSL);
|
our @ISA = qw(Lemonldap::NG::Portal::AuthSSL);
|
||||||
our $initDone;
|
our $initDone;
|
||||||
|
our $reWebIDWhitelist;
|
||||||
|
|
||||||
BEGIN {
|
BEGIN {
|
||||||
eval {
|
eval {
|
||||||
require threads::shared;
|
require threads::shared;
|
||||||
threads::shared::share($initDone);
|
threads::shared::share($initDone);
|
||||||
|
threads::shared::share($reWebIDWhitelist);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -34,19 +38,53 @@ sub authInit {
|
|||||||
eval "use Web::ID";
|
eval "use Web::ID";
|
||||||
$self->abort( 'Unable to load Web::ID', $@ ) if ($@);
|
$self->abort( 'Unable to load Web::ID', $@ ) if ($@);
|
||||||
$initDone++;
|
$initDone++;
|
||||||
|
|
||||||
|
# Now examine white list and compile it
|
||||||
|
my @hosts = split /\s+/, $self->{webIDWhitelist};
|
||||||
|
$self->abort( 'WebID white list is empty',
|
||||||
|
'Set it in manager, use * to accept all FOAF providers' )
|
||||||
|
unless (@hosts);
|
||||||
|
my $re = Regexp::Assemble->new();
|
||||||
|
foreach my $h (@hosts) {
|
||||||
|
$self->lmLog( "Add $h in WebID whitelist", 'debug' );
|
||||||
|
$h = quotemeta($h);
|
||||||
|
$h =~ s/\\\*/\.\*\?/g;
|
||||||
|
$re->add($h);
|
||||||
|
}
|
||||||
|
$reWebIDWhitelist = '^https?://' . $re->as_string . '(?:/.*|)$';
|
||||||
|
|
||||||
}
|
}
|
||||||
PE_OK;
|
PE_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub extractFormInfo {
|
sub extractFormInfo {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
|
|
||||||
|
# 1. Verify SSL exchange using AuthSSL::extractFormInfo()
|
||||||
my $tmp = $self->SUPER::extractFormInfo(@_);
|
my $tmp = $self->SUPER::extractFormInfo(@_);
|
||||||
return $tmp unless ( $tmp eq PE_OK );
|
return $tmp unless ( $tmp eq PE_OK );
|
||||||
return PE_CERTIFICATEREQUIRED
|
|
||||||
unless ( $ENV{SSL_CLIENT_CERT}
|
# 2. Return an error if SSL_CLIENT_CERT is not set
|
||||||
and $self->{webid} =
|
$self->abort( 'SSL configuration error',
|
||||||
|
'Unable to get client certificate, SSL_CLIENT_CERT is not set' )
|
||||||
|
unless ( $ENV{SSL_CLIENT_CERT} );
|
||||||
|
|
||||||
|
# 3. Verify that certificate is WebID compliant
|
||||||
|
return PE_BADCREDENTIALS
|
||||||
|
unless ( $self->{webid} =
|
||||||
Web::ID->new( certificate => $ENV{SSL_CLIENT_CERT} ) );
|
Web::ID->new( certificate => $ENV{SSL_CLIENT_CERT} ) );
|
||||||
return ( $self->{webid}->valid() ? PE_OK : PE_BADCREDENTIALS );
|
|
||||||
|
# WebID URI is used as user field
|
||||||
|
$self->{user} = $self->{webid}->uri;
|
||||||
|
|
||||||
|
# 4. Verify that FOAF host is in white list
|
||||||
|
return PE_BADPARTNER unless ( $self->{user} =~ $reWebIDWhitelist );
|
||||||
|
|
||||||
|
# 5. Verify FOAF document
|
||||||
|
return PE_BADCREDENTIALS unless ( $self->{webid}->valid() );
|
||||||
|
|
||||||
|
# 6. OK, access granted
|
||||||
|
return PE_OK;
|
||||||
}
|
}
|
||||||
1;
|
1;
|
||||||
__END__
|
__END__
|
||||||
|
Loading…
Reference in New Issue
Block a user